Yes, i haven't modified the script, as it's on this url: http://tycho.ws/blog/2014/09/container-migration.html
Bests. 2015-02-04 12:54 GMT+01:00 <[email protected]>: > Send lxc-users mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.linuxcontainers.org/listinfo/lxc-users > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of lxc-users digest..." > > Today's Topics: > > 1. Live Migration of a Container (Thouraya TH) > 2. Re: Live Migration of a Container (Tycho Andersen) > 3. Unprivileged containers on Debian Jessie (Xavier Gendre) > 4. unprivileged container with zfs backing (Adam Gold) > 5. Re: unprivileged container with zfs backing (Fajar A. Nugraha) > 6. Re: unprivileged container with zfs backing (Adam Gold) > 7. Re: [Marketing Mail] Re: unprivileged container with zfs > backing (Jäkel) > 8. Re: unprivileged container with zfs backing (Fajar A. Nugraha) > 9. Re: unprivileged container with zfs backing (Fajar A. Nugraha) > > > ---------- Message transféré ---------- > From: Thouraya TH <[email protected]> > To: LXC users mailing-list <[email protected]> > Cc: > Date: Tue, 3 Feb 2015 13:06:56 +0100 > Subject: [lxc-users] Live Migration of a Container > Hello, > > *1)* Please, can you explain details of these command: > > $ sudo ./migrate u1 [email protected] > > i try : > ./migrate u1 [email protected] > Bad number of args. > -bash container [email protected] > > *2) * > Is there a tutorial that specifies the data that will be imported during > a migration of a container? only CRIU images? > > Thanks a lot for help. > > Best Regards. > > Thouraya. > > > > ---------- Message transféré ---------- > From: Tycho Andersen <[email protected]> > To: LXC users mailing-list <[email protected]> > Cc: > Date: Tue, 3 Feb 2015 14:12:17 +0200 > Subject: Re: [lxc-users] Live Migration of a Container > On Tue, Feb 03, 2015 at 01:06:56PM +0100, Thouraya TH wrote: > > Hello, > > > > *1)* Please, can you explain details of these command: > > > > $ sudo ./migrate u1 [email protected] > > > > i try : > > ./migrate u1 [email protected] > > Bad number of args. > > -bash container [email protected] > > Hmm. Are you using the migrate script unmodified? > > > *2) * > > Is there a tutorial that specifies the data that will be imported during > > a migration of a container? only CRIU images? > > Both the CRIU images and the container disk will be moved; you can see > this because there are two calls to do_rsync in the script. > > Tycho > > > Thanks a lot for help. > > > > Best Regards. > > > > Thouraya. > > > _______________________________________________ > > lxc-users mailing list > > [email protected] > > http://lists.linuxcontainers.org/listinfo/lxc-users > > > > > ---------- Message transféré ---------- > From: Xavier Gendre <[email protected]> > To: [email protected] > Cc: > Date: Wed, 04 Feb 2015 10:34:07 +0100 > Subject: [lxc-users] Unprivileged containers on Debian Jessie > Hi, > > following the hints given by Serge Hallyn on the lxc-devel list, I managed > to run an unprivileged container on my Debian Jessie \o/ > > Now, I want to avoid handlings and get it works on startup. Thus, I set > permanently kernel.unprivileged_userns_clone to 1 and I create a systemd > service to run the following script: > > #!/bin/bash > > echo 1 > /sys/fs/cgroup/cpuset/cgroup.clone_children > > # Allowed users > lxc_users="user1 user2" > > for u in $lxc_users; do > for d in /sys/fs/cgroup/*; do > mkdir -p $d/$u > chown -R $u: $d/$u > done > done > > The only thing that I need now is to put a 'good' PID in the tasks files > in order to be allowed to start my unprivileged containers. I can do that > by login as an allowed user and by putting the PID of the current shell in > my tasks file. But this solution is volatile and has to be done on each > startup for each container :-/ > > Is my approach good? Maybe there is a simpler solution to my problem... If > this is the way, how can I put a valid PID in the tasks files of the > allowed users on startup in order, for example, to autostart some > unprivileged containers? > > Thanks, > Xavier > > > > ---------- Message transféré ---------- > From: Adam Gold <[email protected]> > To: [email protected] > Cc: > Date: Wed, 04 Feb 2015 09:58:04 +0000 > Subject: [lxc-users] unprivileged container with zfs backing > I'm trying to set up an unprivileged container with user lxcd using a > zfs filesystem (equivalent of btrfs sub volume) for each container. I'm > aware that for unprivilged container creation, zfs has to be manually > created. My zfs file system is: > > zfs (the pool) > zfs/lxc > zfs/lxc/containers > > > The above has been created using the 'zfs create ...' and I have run > chown -R lxcd:lxcd ./lxc. The umask is the default 022. > > In ~/.config/lxc/lxc.conf I have: 'lxc.lxcpath = /zpool1/lxc/containers' > In ~/.config/lxc/default.conf I have: > lxc.id_map = u 0 100000 65536 > lxc.id_map = g 0 100000 65536 > lxc.network.type = veth > lxc.network.link = lxcbr0 > lxc.network.flags = up > lxc.network.name = eth0 > lxc.network.hwaddr = 00:16:3e:xx:xx:xx > > Here's the problem: I try to create a container c1 with the zfs > filesystem already in place so the first thing I do is run, as root, > 'zfs create zfs/lxc/containers/c1' and then chown -R lxcd:lxcd ./c1. > > I then run 'lxc-create -t download -n c1 -B dir -- -dist ubuntu -release > trusty -arch amd64' and get the following error: > lxc_container: lxccontainer.c: create_partial: 164 Permission denied - > Erorr creating partial file > lxc_container: lxc_create.c: main: 271 Error creating container c1 > > When I check, c1 directory is empty. > > I think this is zfs-lxc related (as opposed to just lxc) because if I > remove the zfs/lxc/containers/c1 filesystem and run the same command > which now attempts to create the container on a simple dir backing store > there is no problem. > > I've also tried manually creating the directory rootfs underneath c1 and > then running 'lxc-create -t download -n c1 -B dir --dir > /zfs/lxc/containers/c1/rootfs -- -dist ubuntu -release trusty -arch > amd64' but I get the same error messages. > > I guess then, the only time it works in zfs, is when the location for > creating containers is specified in ~/.config/lxc/lxc.conf and the > rootfs directory of the new container is two dirs down from the root of > the nearest zfs filesystem (in my example which works: > zfs/lxc/containers is the specified location, the container rootfs is > zfs/lxc/containers/c1/rootfs). > > In summary, I would like each unprivileged container to run on top of a > new zfs filesystem which I create as root and assign relevant ownership > to. Is this possible? > > > > ---------- Message transféré ---------- > From: "Fajar A. Nugraha" <[email protected]> > To: LXC users mailing-list <[email protected]> > Cc: > Date: Wed, 4 Feb 2015 17:10:36 +0700 > Subject: Re: [lxc-users] unprivileged container with zfs backing > On Wed, Feb 4, 2015 at 4:58 PM, Adam Gold <[email protected]> wrote: > >> In summary, I would like each unprivileged container to run on top of a >> new zfs filesystem which I create as root and assign relevant ownership >> to. Is this possible? >> > > should be possible, BUT not with lxc-create. > > The easiest method would probably be to create a "template" container for > that particular user, and clone it manually (e.g. using zfs snapshot/clone, > plus edit the config file manually). You already create the fs manually, so > this workaround might be acceptable. > > It might be a bug in lxc-create code which is beyond my abilities. > > -- > Fajar > > > ---------- Message transféré ---------- > From: Adam Gold <[email protected]> > To: [email protected] > Cc: > Date: Wed, 04 Feb 2015 10:46:06 +0000 > Subject: Re: [lxc-users] unprivileged container with zfs backing > > > On 04/02/2015 10:10, Fajar A. Nugraha wrote: > > On Wed, Feb 4, 2015 at 4:58 PM, Adam Gold <[email protected] > > <mailto:[email protected]>> wrote: > > > > In summary, I would like each unprivileged container to run on top > of a > > new zfs filesystem which I create as root and assign relevant > ownership > > to. Is this possible? > > > > > > should be possible, BUT not with lxc-create. > > > > The easiest method would probably be to create a "template" container > > for that particular user, and clone it manually (e.g. using zfs > > snapshot/clone, plus edit the config file manually). You already create > > the fs manually, so this workaround might be acceptable. > > I've only ever created containers using lxc-create. Are you saying that > I should manually create a template container at the root of a > particular zfs filesystem (e.g. zfs/lxc/containers/c1) and then I simply > use zfs clone to create each new container (and, of course, tweak the > config)? If so, what's the best way to manually create a template in > unprivileged mode to ensure all the subuids and subgids are assigned > correctly. > > Also, for the additional containers that I get from zfs cloning, will > they be recognised by 'lxc-* -n' commands? > > Thanks for your interest in this! > > > > > > > ---------- Message transféré ---------- > From: "Jäkel, Guido" <[email protected]> > To: "'[email protected]'" < > [email protected]> > Cc: > Date: Wed, 4 Feb 2015 10:59:07 +0000 > Subject: Re: [lxc-users] [Marketing Mail] Re: unprivileged container with > zfs backing > Dear Adam, > > >From: lxc-users [mailto:[email protected]] On > Behalf Of Adam Gold > > > >I've only ever created containers using lxc-create. Are you saying that > >I should manually create a template container at the root of a > >particular zfs filesystem (e.g. zfs/lxc/containers/c1) and then I simply > >use zfs clone to create each new container (and, of course, tweak the > >config)? If so, what's the best way to manually create a template in > >unprivileged mode to ensure all the subuids and subgids are assigned > >correctly. > > > >Also, for the additional containers that I get from zfs cloning, will > >they be recognised by 'lxc-* -n' commands? > > You also have to clone and tweak the Container's configuration file, usual > located at /etc/lxc/ . You'll see what is obvious to change - like the > (nearly arbitrary) location of the containers rootfs. > > Guido > > > ---------- Message transféré ---------- > From: "Fajar A. Nugraha" <[email protected]> > To: LXC users mailing-list <[email protected]> > Cc: > Date: Wed, 4 Feb 2015 18:01:50 +0700 > Subject: Re: [lxc-users] unprivileged container with zfs backing > On Wed, Feb 4, 2015 at 5:46 PM, Adam Gold <[email protected]> wrote: > >> >> >> On 04/02/2015 10:10, Fajar A. Nugraha wrote: >> > On Wed, Feb 4, 2015 at 4:58 PM, Adam Gold <[email protected] >> > <mailto:[email protected]>> wrote: >> > >> > In summary, I would like each unprivileged container to run on top >> of a >> > new zfs filesystem which I create as root and assign relevant >> ownership >> > to. Is this possible? >> > >> > >> > should be possible, BUT not with lxc-create. >> > >> > The easiest method would probably be to create a "template" container >> > for that particular user, and clone it manually (e.g. using zfs >> > snapshot/clone, plus edit the config file manually). You already create >> > the fs manually, so this workaround might be acceptable. >> >> I've only ever created containers using lxc-create. Are you saying that >> I should manually create a template container at the root of a >> particular zfs filesystem (e.g. zfs/lxc/containers/c1) and then I simply >> use zfs clone to create each new container (and, of course, tweak the >> config)? > > > That is the best way that I know of. > > > >> If so, what's the best way to manually create a template in >> unprivileged mode to ensure all the subuids and subgids are assigned >> correctly. >> > > Create it using any normal method known to work. It should be OK when > .local/share/lxc is on the same filesystem as $HOME, right? > After that, copy it manually to your template dataset > (zfs/lxc/containers/template > ?) using "rsync -avP" or whatever tool of your choice. When you clone the > template to a new directory, don't forget to change these settings manually > in the new container config: > > lxc.rootfs > lxc.utsname > lxc.network.hwaddr > lxc.network.veth.pair (if you use this) > > >> >> Also, for the additional containers that I get from zfs cloning, will >> they be recognised by 'lxc-* -n' commands? >> >> > AFAIK most lxc commands simply reads whatever is under the directory, and > doesn't really care what fs they are on. > > -- > Fajar > > > > ---------- Message transféré ---------- > From: "Fajar A. Nugraha" <[email protected]> > To: LXC users mailing-list <[email protected]> > Cc: > Date: Wed, 4 Feb 2015 18:54:06 +0700 > Subject: Re: [lxc-users] unprivileged container with zfs backing > On Wed, Feb 4, 2015 at 6:01 PM, Fajar A. Nugraha <[email protected]> wrote: > >> On Wed, Feb 4, 2015 at 5:46 PM, Adam Gold <[email protected]> wrote: >> >>> >>> If so, what's the best way to manually create a template in >>> unprivileged mode to ensure all the subuids and subgids are assigned >>> correctly. >>> >> >> Create it using any normal method known to work. It should be OK when >> .local/share/lxc is on the same filesystem as $HOME, right? >> After that, copy it manually to your template dataset >> (zfs/lxc/containers/template >> ?) using "rsync -avP" or whatever tool of your choice. When you clone the >> template to a new directory, don't forget to change these settings manually >> in the new container config: >> >> > > This is what I just tested. Environment: > - there's a system container called "template" > - user "user" is allowed to create its own container (including setting > /etc/subuid) > - I want to copy the system container to user container > > Current permissions: > # grep user /etc/subuid > user:100000:65537 > > # grep user /etc/subgid > user:100000:65537 > > # ls -la /var/lib/lxc/template/ > total 6 > drwxr-xr-x 3 root root 4 Jul 10 2014 . > drwxr-xr-x 4 root root 4 Jan 22 19:26 .. > -rw-r--r-- 1 root root 691 Jul 10 2014 config > drwxr-xr-x 21 root root 21 Feb 4 18:32 rootfs > > # ls -la /home/user/.local/share/lxc/template/ > total 6 > drwxr-xr-x 3 user user 4 Feb 4 18:39 . > drwxr-xr-x 3 user user 4 Feb 4 18:37 .. > drwxr-xr-x 21 100000 100000 21 Feb 4 18:32 rootfs > > # df -h /home/user/.local/share/lxc/template/ > Filesystem Size Used Avail Use% Mounted on > rpool/lxc/user/template 46G 164M 46G 1% > /home/user/.local/share/lxc/template > > Note that /home/user/.local/share/lxc/template/rootfs is EMPTY. The zfs > datasets, owner, and permission were created/set by root. > I can then run this command to copy system's rootfs to users's rootfs, > with the correct permissions: > > # tar -C /var/lib/lxc/template/rootfs -cf - . | su - user -c > "lxc-usernsexec -- tar -C /home/user/.local/share/lxc/template/rootfs -xf - > --exclude ./dev/*" > > WARN: could not reopen tty: No such file or directory > tar: ./dev/log: socket ignored > > Ignore the warning messages. Next step is to create > /home/user/.local/share/lxc/template/config, like so: > ### > # Template used to create this container: > /usr/share/lxc/templates/lxc-download > # Parameters passed to the template: -d ubuntu -r trusty -a amd64 > # For additional config options, please look at lxc.conf(5) > > # Distribution configuration > lxc.include = /usr/share/lxc/config/ubuntu.common.conf > lxc.include = /usr/share/lxc/config/ubuntu.userns.conf > lxc.arch = x86_64 > > # Container specific configuration > lxc.id_map = u 0 100000 65536 > lxc.id_map = g 0 100000 65536 > lxc.rootfs = /home/user/.local/share/lxc/template/rootfs > lxc.utsname = template > > # Network configuration > lxc.network.type = veth > lxc.network.veth.pair = veth-u-te-0 > lxc.network.flags = up > lxc.network.link = br0 > lxc.network.hwaddr = 00:16:3E:3A:53:E7 > ### > > Note that I use br0, where the default bridge created by lxc is lxcbr0, so > you need to make sure it's correct. > > When creating another container for the same user "user", I can simply use > zfs clone rpool/lxc/user/template. If I wanted to create container for > another user (e.g. "user2"), then I need to repeat the "tar" method above > as a different user (e.g. "| su - user2 -c ...") > > >> >>> Also, for the additional containers that I get from zfs cloning, will >>> they be recognised by 'lxc-* -n' commands? >>> >>> >> AFAIK most lxc commands simply reads whatever is under the directory, and >> doesn't really care what fs they are on. >> >> > > After doing the above steps I can do this: > > $ id > uid=1000(user) gid=1000(user) groups=1000(user),4(adm),6(disk),27(sudo) > > $ lxc-ls -f > NAME STATE IPV4 IPV6 GROUPS AUTOSTART > ------------------------------------------------ > template STOPPED - - - NO > > $ lxc-start -d -n template > > $ lxc-ls -f > NAME STATE IPV4 IPV6 GROUPS AUTOSTART > ----------------------------------------------------------- > template RUNNING 192.168.124.104 - - NO > > $ lxc-attach -n template id > uid=0(root) gid=0(root) groups=0(root) > > $ lxc-attach -n template ip ad li eth0 > 25: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > state UP group default qlen 1000 > link/ether 00:16:3e:3a:53:e7 brd ff:ff:ff:ff:ff:ff > inet 192.168.124.104/24 brd 192.168.124.255 scope global eth0 > valid_lft forever preferred_lft forever > inet6 fe80::216:3eff:fe3a:53e7/64 scope link > valid_lft forever preferred_lft forever > > $ lxc-stop -n template > > $ lxc-ls -f > NAME STATE IPV4 IPV6 GROUPS AUTOSTART > ------------------------------------------------ > template STOPPED - - - NO > > -- > Fajar > > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users >
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
